Salt Typhoon isn’t a storm. It’s a silent, state‑sponsored hijack of the world’s telecom backbone.

🔥𝗦𝗮𝗹𝘁 𝗧𝘆𝗽𝗵𝗼𝗼𝗻 𝗶𝘀 𝗻o𝘁 “𝗷𝘂𝘀𝘁 𝗮𝗻𝗼𝘁𝗵𝗲𝗿 𝗔𝗣𝗧”.🔥

𝗙𝗼𝗿 𝗜𝗦𝗣𝘀, 𝗶𝘁’𝘀 𝗮 𝗯𝗹𝘂𝗲𝗽𝗿𝗶𝗻𝘁 𝗳𝗼𝗿 𝗵𝗶𝗷𝗮𝗰𝗸𝗶𝗻𝗴 𝗲𝗻𝘁𝗶𝗿𝗲 𝗿𝗲𝗴𝗶𝗼𝗻𝘀 𝗼𝗳 𝘁𝗿𝗮𝗳𝗳𝗶𝗰 𝘃𝗶𝗮 𝘆𝗼𝘂𝗿 𝗰𝗼𝗿𝗲 𝗮𝗻𝗱 𝗲𝗱𝗴𝗲 𝗴𝗲𝗮𝗿.

If you move packets for communication, then there is problem.

𝗦𝗮𝗹𝘁 𝗧𝘆𝗽𝗵𝗼𝗼𝗻 𝗹𝗶𝘃𝗲𝘀 𝘄𝗵𝗲𝗿𝗲 𝗺𝗼𝘀𝘁 𝗺𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 𝗶𝘀 𝗯𝗹𝗶𝗻𝗱:

Edge routers

Firewalls & VPN concentrators

Lawful interception & mediation boxes

Supplier firmware and management planes

𝗦𝘁𝗲𝗽𝘀 𝗳𝗼𝗿 𝗺𝗶𝘁𝗶𝗴𝗮𝘁𝗶𝗼𝗻:

1️⃣ 𝗦𝘁𝗲𝗽 𝟭: 𝗧𝗿𝗲𝗮𝘁 𝗲𝗱𝗴𝗲 𝗱𝗲𝘃𝗶𝗰𝗲𝘀 𝗮𝘀 𝗧𝗶𝗲𝗿‐𝟬

Stop thinking of CPE and edge as “appliances”.

ISPs should:

Classify all BNGs, PE routers, firewalls, LI boxes as Tier‑0 assets

Restrict admin access to dedicated jump hosts

Enforce phishing‑resistant MFA for all management accounts

2️⃣𝗦𝘁𝗲𝗽 𝟮: 𝗕𝘂𝗶𝗹𝗱 𝗮 𝘀𝗲𝗽𝗮𝗿𝗮𝘁𝗲 𝗺𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗽𝗹𝗮𝗻𝗲

Salt Typhoon thrives when mgmt traffic rides the same paths as customer traffic.

𝗔𝗰𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝗜𝗦𝗣𝘀:

Move to out‑of‑band management networks

Block mgmt interfaces from public IP space by default

Use VPN + device certs for all mgmt access

Make it painful to even reach your routers.

3️⃣𝗦𝘁𝗲𝗽 𝟯: 𝗗𝗲𝗳𝗮𝘂𝗹𝘁‐𝗱𝗲𝗻𝘆 𝘆𝗼𝘂𝗿 𝗼𝘄𝗻 𝗻𝗲𝘁𝘄𝗼𝗿𝗸

ISPs often allow “just in case” flows between segments.

APT actors love that.

𝗜𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁 𝘁𝗵𝗶𝘀:

Default‑deny ACLs between core, edge, LI, and IT networks

Log all denied traffic and feed it into your SIEM

Strict egress controls from LI and mediation platforms

Flat networks = fast compromise.

4️⃣S𝘁𝗲𝗽 𝟰: 𝗣𝗮𝘁𝗰𝗵 𝗹𝗶𝗸𝗲 𝗮𝘁𝘁𝗮𝗰𝗸𝗲𝗿𝘀 𝗮𝗿𝗲 𝘄𝗮𝘁𝗰𝗵𝗶𝗻𝗴 (𝗯𝗲𝗰𝗮𝘂𝘀𝗲 𝘁𝗵𝗲𝘆 𝗮𝗿𝗲)

Salt Typhoon heavily abuses known CVEs on edge gear.

𝗜𝗦𝗣𝘀 𝘀𝗵𝗼𝘂𝗹𝗱 𝗱𝗼 𝘁𝗵𝗶𝘀:

Maintain a live “must‑patch” list for Internet‑facing devices

Track vendor security advisories per platform, not per vendor

Tie executive KPIs to patch SLAs on core and edge equipment

If your edge runs unpatched for months, you’re offering free persistence.

5️⃣𝗦𝘁𝗲𝗽 𝟱: 𝗕𝘂𝗶𝗹𝗱 𝗜𝗦𝗣‐𝗴𝗿𝗮𝗱𝗲 𝘁𝗵𝗿𝗲𝗮𝘁 𝗵𝘂𝗻𝘁𝗶𝗻𝗴, 𝗻𝗼𝘁 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗹𝗼𝗴𝗴𝗶𝗻𝗴

Salt Typhoon hides inside “normal” patterns. Simple alerts won’t catch it.

𝗗𝗼 𝘁𝗵𝗶𝘀:

Centralize telemetry from routers, firewalls, LI, and AAA/RADIUS

𝗛𝘂𝗻𝘁 𝗳𝗼𝗿:

Unusual admin logins or new local users

Config changes out of change windows

Long‑lived connections from mgmt segments to strange destinations

You can’t defend what you don’t see.

6️⃣S𝘁𝗲𝗽 𝟲: 𝗦𝗲𝗰𝘂𝗿𝗲 𝗹𝗮𝘄𝗳𝘂𝗹 𝗶𝗻𝘁𝗲𝗿𝗰𝗲𝗽𝘁 𝗹𝗶𝗸𝗲 𝗶𝘁’𝘀 𝗿𝗮𝗱𝗶𝗼𝗮𝗰𝘁𝗶𝘃𝗲

When LI is compromised, you don’t just lose data — you lose regulatory trust.

𝗜𝗦𝗣𝘀 𝘀𝗵𝗼𝘂𝗹𝗱 𝗱𝗼 𝘁𝗵𝗶𝘀:

Isolate LI platforms in their own security zone

Enforce strict dual‑control for LI provisioning

Log and review every LI action and config change

Regularly test LI for unauthorized access paths

If you can’t prove LI hasn’t been abused, regulators will assume it has.

7️⃣𝗦𝘁𝗲𝗽 𝟳: 𝗧𝗿𝗲𝗮𝘁 𝘃𝗲𝗻𝗱𝗼𝗿𝘀 𝗮𝘀 𝗽𝗮𝗿𝘁 𝗼𝗳 𝘆𝗼𝘂𝗿 𝗮𝘁𝘁𝗮𝗰𝗸 𝘀𝘂𝗿𝗳𝗮𝗰𝗲

Salt Typhoon has shown how dangerous malicious firmware and weak supply chains can be.

​𝗔𝗰𝘁𝗶𝗼𝗻𝘀 𝗳𝗼𝗿 𝗜𝗦𝗣𝘀:

Only accept signed firmware from vetted, contractual channels

Maintain an SBOM (software bill of materials) for critical network gear

𝗔𝘀𝗸 𝘃𝗲𝗻𝗱𝗼𝗿𝘀 𝗱𝗶𝗿𝗲𝗰𝘁𝗹𝘆: “𝗛𝗼𝘄 𝗮𝗿𝗲 𝘆𝗼𝘂 𝗲𝗹𝗶𝗺𝗶𝗻𝗮𝘁𝗶𝗻𝗴 𝗺𝗲𝗺𝗼𝗿𝘆‐𝘀𝗮𝗳𝗲𝘁𝘆 𝗯𝘂𝗴𝘀 𝗮𝗻𝗱 𝘀𝘂𝗽𝗽𝗹𝘆 𝗰𝗵𝗮𝗶𝗻 𝗿𝗶𝘀𝗸?”

Your security is only as strong as your least‑transparent supplier.

8️⃣𝗦𝘁𝗲𝗽 𝟴: 𝗥𝘂𝗻 𝗰𝗿𝗶𝘀𝗶𝘀 𝗱𝗿𝗶𝗹𝗹𝘀 𝗹𝗶𝗸𝗲 𝘆𝗼𝘂’𝘃𝗲 𝗮𝗹𝗿𝗲𝗮𝗱𝘆 𝗯𝗲𝗲𝗻 𝗯𝗿𝗲𝗮𝗰𝗵𝗲𝗱

Assume a Salt Typhoon‑style actor is already in your core.

​

𝗗𝗼 𝗗𝗿𝗶𝗹𝗹 𝗳𝗼𝗿:

Sudden discovery of backdoored firmware

Silent LI compromise

Regional routing manipulation or traffic duplication

Measure MTTD/MTTR for backbone‑level incidents, not just endpoint malware.

𝗜𝗳 𝘆𝗼𝘂’𝗿𝗲 𝗮𝗻 𝗜𝗦𝗣 𝗼𝗿 𝗯𝗮𝗰𝗸𝗯𝗼𝗻𝗲 𝗼𝗽𝗲𝗿𝗮𝘁𝗼𝗿 𝗮𝗻𝗱 𝘄𝗮𝗻𝘁 𝗮 𝗽𝗿𝗮𝗰𝘁𝗶𝗰𝗮𝗹 𝗦𝗮𝗹𝘁 𝗧𝘆𝗽𝗵𝗼𝗼𝗻 𝗽𝗹𝗮𝘆𝗯𝗼𝗼𝗸 𝘁𝗮𝗶𝗹𝗼𝗿𝗲𝗱 𝘁𝗼 𝗰𝗮𝗿𝗿𝗶𝗲𝗿𝘀:

Reply “𝗜𝗦𝗣 𝗥𝗘𝗔𝗗𝗬” and you’ll get:

A 10‑control ISP checklist

Focused on edge gear, LI, supply chain, and mgmt plane hardening

Resilience at ISP scale is not optional anymore.